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Distributed interactions can be suitably designed in terms of choreographies. Such abstractions can 
be thought of as global descriptions of the coordination of several distributed parties. Global as- 
sertions define contracts for choreographies by annotating multiparty session types with logical for- 
mulae to validate the content of the exchanged messages. The introduction of such constraints is a 
critical design issue as it may be hard to specify contracts that allow each party to be able to progress 
without violating the contract. In this paper, we propose three methods that automatically correct 
inconsistent global assertions. The methods are compared by discussing their applicability and the 
relationships between the amended global assertions and the original (inconsistent) ones. 

1 Introduction 

Choreographies are high level models that describe the conversations among distributed parties from a 
global perspective. Global types [6| and global assertions |3| provide an effective methodology for the 
design of distributed choreographies (as e.g., in 111) by allowing static checking of a number of properties 
such as deadlock freedom and session fidelity. 

Intuitively, global types establish the interaction pattern for the harmonious coordination of dis- 
tributed parties while global assertions combine global types with logic to feature design-by-contract lHJ. 
Basically, global assertions decorate global types with logical formulae (predicates) that constrain inter- 
actions, declaiing senders' obligations and receivers' requirements on exchanged data and on the choice 
of the branches to follow. This adds fine-grained constraints to the specification of the interaction struc- 
ture. For instance, the global assertion 



describes a protocol with three participants, Alice, Bob, and Carol, who agree on a "contract" con- 
straining the interaction variables a and b. The contract stipulates that (/) Alice has to send a positive 
value to Bob in the first interaction, and that (//) Bob is obliged to send Carol a value strictly greater than 
the one fixed for a in the first interaction. Notice that Bob can fulfill his pledge (i.e., the assertion b > a 
in the second interaction above) only after he has received the value a from Alice. 

Once designed, a global assertion ^ is projected on endpoint assertions that are local types - mod- 
elling the behaviour of a specific participant - constrained according to the predicates of ^. For instance, 
the projection for Alice in the example ( |1.1| ) above is an endpoint assertion prescribing that Alice has 
to send a positive value to Bob. Endpoint assertions can be used for static validation of the actual pro- 
cesses implementing one or more roles in a choreography represented by ^, and/or to synthesise monitor 
processes for run-time checking/enforcement. 

*This work has been supported by the project Leverhulme Trust Award Tracing Networks. 



Bob — ^ Carol 



Alice — ^ Bob 



{a \ a> 0}. 

{b I b> a} 



(1.1) 
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The methodology described above can be applied only when global assertions are well-asserted JSj, 
namely when global assertions obey two precise design principles: history-sensitivity (HS for short) and 
temporal satisfiability (TS for short). Informally, HS demands that a party having an obligation on a 
predicate has enough information for choosing a set of values that guarantees it. Instead, TS requires that 
the values sent in each interaction do not make predicates of future interactions unsatisfiable. 

The main motivation of our interest in HS and TS is that, in global assertions, they are the tech- 
nical counterparts of the fundamental coordination issue that could be summarized in the slogan "who 
does what and when does (s)he do it". In fact, HS pertains to when variables are constrained and who 
constrains them, while TS pertains to which values variables take. The contracts specified in global asser- 
tions are, on the one hand, "global" as they pertain to the whole choreography while, on the other hand, 
they are also "local" in (at least) two aspects. The first is that they assign responsibilities to participants 
{who) at definite moments of the computation {when). The second aspect is that the values assigned to 
variables are critical because either one could over-constrain variables fixed in the past or over-restrict 
the range of those assigned in the future {which). These conditions (especially TS) are rather crucial as 
global assertions that violate them may be infeasible or fallacious. For instance, if the predicate for Bob 
in the second interaction in ( |1.1[ ) were 3 > b> a then Bob could not fulfill his contract if Alice had fixed 
the value 2 for a in the first interaction. 

Guaranteeing HS and TS is often non-trivial, and this burden is on the software architect; using tools 
like the ones described in |7|, one only highlights the problems but does not help to fix them. HS and 
TS are global semantic properties that may be hard to achieve. Namely, TS requires to trace back for 
"under-constrained" interactions (i.e., which allow values causing future predicates to be unsatisfiable) 
and re-distribute there the unsatisfiable constraints. 

Contributions We show a few techniques that help software architects to amend global assertions 
during the design of distributed choreographies. The preliminary notions used in the rest of the paper are 
given in §[2] In §|3]we give two algorithms which, if applicable, automatically fix HS in global assertions; 
the first algorithm strengthens a predicate while the second one is based on variable propagation. In § [4] 
we give an algorithm which, if possible, moves predicates up in the global assertion in order to remove 
TS violations. §|5] outlines a methodology based on the three algorithms. Conclusions and future work 
are discussed in § (6) 

2 Preliminaries 

Let !P (ranged over by p, q, s, r, . . .) and (ranged over by u,v,x,y, . . .) be two infinitely countable sets of 
identifiers. We assume ¥(1^ = and call their elements participants and interaction variables, respec- 
tively. Hereafter, Z represents a list of some elements (for instance, v is a list of interaction variables); 
the concatenation of x and y is denoted by the juxtaposition xy, and, abusing notation, we confound 
lists with the underlying sets of their elements (e.g., a ^x indicates that a occurs in the list x). Also, 
expressions (ranged over by e) include variables in 'U, basic data types (e.g., integers, booleans, etc.), 
and usual arithmetic operations/relations; var{e) is the set of (free) variables in e; and, we denote logic 
implication with the symbol D. 

As in in, we parametrise our constructions wrt a logical language which we assume to be a 
decidable fragment of a first-order logic with expressions and quantifiers on variables; the set of free 
interaction variables of \|/ G *F is denoted as var(\|/) and we write \|/(v) to emphasise that v<3r(\|/) C v. 
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The main ingredients of global assertions are interactions, abbreviated i, which have the form: 

s-^r : {v I \|/} (2.1) 
where s,r G !P are the sender and the receiver, v C T/" is a pairwise-distinct list of variables, and \|/ G *F. 



Variables v are called interaction variables and, in (2.1 1, we say that they are introduced by s. The 



interaction (2.1 1 reads as "s has to send to r some values for v that satisfy \|/" or as "r relies that the 
values fixed by s for v satisfy \|/". For instance^ 

s— J-rilvw I 3m.v = M X w} 

states that s has the obligation to send r two values such that the first is a multiple of the second. 



Remark 1. In [3], interactions specify a channel over which participants communicate. In {2.1 \ we omit 
channels since they are inconsequential to our results ([2] shows that channels can indeed be removed). 

Given i as in ( |2.1[ ), we define 

, / \ def / \ def / \ def —» , / \ def 

snd(x) = s, rcv[x) = r, var(ij = v, and cst[\) = \|/ 

Def. [2]below is essentially borrowed from |[3l but for a slightly simplified syntax. 
Definition 2 (Global Assertions). Global assertions are defined by the following productions. 

^ ::= l.^ Prefix 

I s — 7- r : ^{Vjl^y : ^7J j Branching 

I t (e){v I \|/}.t7 Recursive definition 

I i{e) Recursive call 

I end End session 

where \|/, G ^ and Ij ranges over a set of labels. We let ^ , ^' , Qj range over global assertions. 

The first production in Def. |2]represents an interaction prefix; interaction variables v<3r(i) are bound 
in the continuation of the prefix and in cst{i). The second production allows the selector s to choose one 
of the labels {lj}jeJ and send it to r; the choice of label Ij is guarded by (guaranteed by s) and is 
followed by Gj. The formal parameters v C 1^ in recursive definition^are constrained by the invariant \|/ 
which must be satisfied at each recursive call (this is guaranteed when the global assertion satisfies TS). 
The initialisation vector e (of the same length as v) specifies the initial values of the formal parameters. 
Recursive calls must be prefix-guarded. 

The termination of the session is represented by end (trailing occurrences are often omitted). We 
denote with var{^) the set of interaction variables and recursion parameters in Q. 

Remark 3. For simplicity, we assume Barendregt's convention ( i.e., bound variables are all distinct and 
they differ from any free variable). Moreover, global assertions Q are closed, i.e., each free occurrence 
of V £ var[Q) is either preceded by an interaction i such that v G varix) or by a recursive definition 
having v as one of its formal parameters. 

A participant p knows a variable v G var{Q) if either 
'For simplicity, we assume the typing of variables understood. 

■^Variables v are pairwise distinct and their free occurrences in the body of the recursion are bound by the recursive definition. 
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• there is i in ^ such that v £ var{i) and p G {snd{l),rcv{l)} 

• or there is a recursive definition ;U t (e*iee*2){vivv2 I ^} . ^' in ^ such that p knows all the variable^ 
in var{e) and, for each recursive invocation t{e\e'e'2) in p knows all variables in var{e'). 

We denote with knowsp(^) C var{^) the set of variables in ^ that p knows. 
Example 4. Consider the following global assertion 

gem = ^t(io){v I Mf}. 

Alice Bob : {vi | 
Bob Carol : {v2 | ^2}- 
t(vi> 

repeatedly executing a computation where (i) Alice sends a variable vi to Bob and (ii) Bob sends a 
variable V2 to Carol. At each step, the invariant \|/ must be satisfied, namely at the first invocation 
\|/[10/v] must hold and in all subsequent invocations \|/[vi/v] must hold. 

In ^e]gj Alice knows vi, since she sends it, while vi,V2 G knowsBob(^7e]^4l), since Bob receives 
vi and sends vi, respectively. Carol knows V2, since she receives it. Also, v G knowsAiice(^7e)gl) H 
knowsBob(^e)l4l), sincc Alice and Bob know vi, the unique variable in the expression of the recursive 
call (and they trivially know all the variables in the initial expression, i.e. the constant 10). However, 
Carol does not know v since she does not know vi. 

It is convenient to treat global assertions as trees whose nodes are drawn from a set 9^ (ranged over 
by •) and labelled with information on the syntactic categories of Def.[2] Hereafter, we write n^T 

if « is a node of a tree T ,nto denote the label of n, and T* for the root of T . 

Definition 5 (Assertion Tree). The assertion tree T{Q) of a global assertion Q is defined as follows: 

• If (j =x.(j' then T(^)* has label x and its unique child is T(^')*. 

• /f (7 = s — 7- r : ^{Vjl^y : ^i^. ^^^^ "^{QT ^'^^ label s — t- r and its children are {nj}j^j C C\C 
such that, for each j G /, nj = {^j}lj and is the unique child ofnj. 

• If ^ = pt {e){v I \\t}.^' then li^y has label pt {e){v \ and its unique child is 

• If Q = t{e) then T(^) consists of one node with label t{e). 

• If Q = end then '^{(^) consists of one node with label end. 

We denote the set of assertion trees as 1 and let T ^T\. .. range over T. 
For convenience, given T ^1 ,yNe will use the partial functions 

varj ■.91^2'^, cstj '.^i^^^, and sndr^rcvj 

that are undefinecQon fJ\C\{n \ n G T} and defined as follows otherwise: 

, , fv'ar(i), ifn=i , , |\|/, if n =1 and cstCl) = Vf, or n = {\lf}l 

varj(n) = < cstT[n) = < 

otherwise Itrue, otherwise 

^ =t jrcv{l), ifn = t 

sndryn) = < rcvT(n) = < 

= s — 7- r Ir, if« = s — t- r 

Moreover, we shall use the following functions: 




Assume that the lenght of e,- and e',- is the same of v/ for i e {1,2}. 
^We write /(x) = ± when the function / is undefined on x. 
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• parent j{n) returning £ if « = 7*, the parent of « in 7 if « G T, and _L otherwise. 

• n^T returning the path from T* to « if « G T , and _L otherwise. 

Given T G T, let k{T) be the global assertion obtained by appending the labels of the nodes in 
(depth-first) preorder traversal visit of T . 

Fact 6. A(T(i^)) = g 

Fact|6]aIIows us to extend kiiowSp(_) to T by knowsp(r) = kiiowSp(A(r)). 
Fact 7. IfT G T then T(A(r)) = T 

Facts[6]and[7]basicaIIy induce an isomorphism between global assertions and their parsing trees. 

3 Towards a Better Past 

In a distributed choreography, parties have to make local choices on the communicated values; such 
choices impact on the graceful coordination of the distributed parties. It is therefore crucial that the 
responsible party has "enough information" to commit to an "appropriate" local choice, in each point 
of the choreography. For global assertions, this distills into history sensitivity (HS), a property defined 
in |3| demanding each sender/selector to know all the variables involved in the predicates (s)he must 
guarantee. We illustrate HS with Example [8] below. 

Example 8. The global assertion violates HS. 

^e.^ = Alice ^ Bob : {v'l | v'i>0}. 

Bob Carol : {v2 | V2 > 0}. 
Carol —> Alice ; {v3 | V3>v'i} 

In fact, Carol 'i' obligation V3 > vi cannot be fulfilled because vi knowscaroi(^e,^8l)- 

Given a global assertion ^, the function ES{g) below returns the nodes of T(i^) where HS is violated 

HS(^) = {n G T(^) I var(ci'f7-(?i)) 2 knowSs(?it7-) and s = resp^^^-)(M)} 

where resp^ (_) : fA^ — !P yields the responsible party of a node and is defined as 



respy(?ij = 



sndj-^n), if«=l 
sndj{parentj{n)), ifM = {\|/}Z 
_L, otherwise 



Intuitively, to determine whether a node « G T(^) violates HS, one checks if the responsible party of n 
knows all the variables involved in C5fx(g)('^)- 

Given T G T, varHST(-) : ^ 2'^ is defined as 

varHSx(«) = var(c5fr(?i)) \knowSs(?it7-) where s = respj.(?i) 

Namely, varHST(«) yields the variables of n not known to the responsible party of n. It is a simple 
observation that if HS is violated in a node n, then there exists a variable in the predicate of n which is 
not known to the responsible party of n (namely if « G HS(^) then varHST(«) 7^ 0). 
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Example 9. Consider the following global assertion: 

g^m - A't(10){y I v>0}. 

Alice ^ Bob : {vi | v>vi}. 
Bob Carol : {v2 | V2>vi}. 
Carol Alice : {v3 | V3>vi}. 
Carol — > Bob : {v4 | V4 > v}. 
t(vi> 

HS(^e^ = {?i3,«4} where n^ and n^ are the nodes in ^[Qe]^ corresponding to the third and fourth 
interactions of i-e. «3 = Carol — t- Alice : {v3 | V3 > vi} and n^ = Carol — t- Bob : {v4 | V4 > v}. 

In Example |9j Carol is responsible for both violations (i.e., j:es'pj^g^^[n^) = respj|-^^^(?i4) = 
Carol). varHSx(^^^^(«3) = {vi} (i.e., Carol has an obligation on V3 > vi without knowing vi) and the 
violation in ^4 is on varHST((^^^ (?i4) = {v} (i.e., Carol has an obligation on V4 > v without knowing v). 
Note that the violation on HS does not imply that Carol will actually violate the condition V3 > vi. In 
fact, Carol could unknowingly choose either a violating or a non violating value for V3. 



In § 3.1 and § |3.2[ we present two algorithms that fix, when possible, violations of HS in a global 
assertion. We discuss and compare their applicability, as well as the relationship between the amended 
global assertion and the original one. We shall use Example [9] as the running example of § 3.1 and § 3.2 



3.1 Strengthening 

Fix a global assertion Q and its assertion tree T = T{Q). Assume HS is violated at « G T and cstj (n) = \|/. 
Violations occur when the responsible party s of « is ignorant of at least one variable v G var(\|/). The 



strengthening algorithm (cf. Def. 1 1 1 replaces \|/ in ^ with an assertion \|/[v'/v] so that 

(1) v' is a variable that s knows, 

(2) if \|/[v'/v] and the predicates occurring from T* to parentj{n) are satisfied then also \|/ is satisfied. 

If there is no variable v' that ensures (1) and (2) then we say that strengthening is not applicable. Intu- 
itively, the method above strengthens \J/ with \|/[v'/v]. Due to (2), \|/ can be still guaranteed relying on the 
information provided by all the predicates occurring before n. Let PREDj- -.O^i^^ yield the conjunction 
of the predicates on the path from T* to the parent of a node: 

{_L, if parent J (n) = _L 

true, if parent J (n) =£ 

cstT{parentj{n)) A PRED7-(j)are«fj(?i)), otherwise 

The function strengthen(i^) uses PREDt- to compute a global assertion by replacing in Q, if 
possible, the assertion violating HS with a stronger predicate. 

Definition 10 (strengthen). //HS(i^) = then strengthen(^) returns Q. Ifn E HS(^), v G varHST(?i) 
and there exists v' € knows s(?it7) such that 

PREDr {n) A ^[V /v] D \|/ with \|/ = cstj (n) (3.1) 

then strengthen((7) returns A(T') where T' is obtained from T by replacing \|/ with \|/[v'/v] in n. 

Finally, when the two cases above cannot be applied, strengthen(^) returns Qin, namely it indi- 
cates that Q violates HS at n ^ ES{^). 
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The algorithm <I>i in Def. 11 recursively applies strengthen(_) until either the global assertion 
satisfies HS or <I>i is not applicable anymore. 

Definition 11 (<I>i). The algorithm <I>i is defined as follows 



strengthen((^), if strengthen(^) G {i^, 

<I>i(strengthen((7)), otherwise 



Example 12. Consider Q^l^from Example^and recall that ES{Qe^ = {n3,n/^}. Strengthening is 
applicable to nj where we can substitute vi with V2 in V3 > vi to satisfy condition in Def.\TU\ 

(v > Av > vi AV2 > vi) A (v3 > V2) D (V3 > vi) 

The invocation o/strengtheii(^e;(9]) returns 

g' = A't (10){v I v>0}. 

Alice Bob : {vi | v>vi}. 
Bob Carol : {v2 | V2 > vi}. 
Carol —> Alice : {v3 | V3 > V2}. 
Carol — > Bob : {v4 | V4 > v}. 
t(vi) 

The invocation 0/ strengthen(^') returns Q'in^, since Q' has still one violating node n^, for which 
strengthening is not applicable e.g., (v > A v > vi Av2 > vi AV3 > vi) A (v4 > v-i) 7^ (v4 > v). 



3.2 Variable Propagation 

An alternative approach to solve HS problems is based on the modification of global assertions by letting 
responsible parties of the violating nodes know the variables causing the violation. The idea is that such 
variables are propagated within a "chain of interactions". 

Definition 13 (-<r). Letn^n' &T, n ~<r n' ijfn appears in n"[j and rcvr^n) = sndj{n'). A vector of nodes 
ni,. . . ,nt is a chain in T iffni -<j- ni+\ for aZZ / G { 1 , . . . , f — 1}. 

The relation is similar to the lO-dependency defined in 161 but does not consider branching, since 
a branching does not carry interaction variables. 

Fix a global assertion Q; let T = T{Q), n G ^S{Q), v G varHST(«), and s = resp7-(?i). 

The propagation algorithm (cf. Def.[T7]) is applicable only if there exists a -<r-chain in n^T through 
which V can be propagated from a node whose sender knows v to n, in which s = res'pj{n) can receive 
it. Given a chain H = ?ii • • • in T, let the propagation ofv in n be the tree T' G T obtained by updating 
the nodes in T as follows: 

• varji{n\) = varT{n\){J {v{\ and cstji{n\) = cstT{n{) A (vi = v), with vi G 'P' fresh. 

• for / = 2 . . .t — l,varji{ni) = var7-(?i,)u{v,} andc5fr/(?i,) = cstjini) A (v,- = v,-_i), with V2, . . . , Vf_i G 
0^ fresh. 

• cstj'in,) = cstT{nt)[vt-i/v] 

• all the other nodes of T remain unchanged. 

For a sequence of nodes n, P7-(v,H) denotes T' as computed above if « is a -<j^-chain and _L otherwise. 
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Example 14. In the global assertion (jej[T4\t>elow assume Alice knows vfrom previous interactions (the 
ellipsis in (je^u^- 

(je.{T4\ = ■■■ Alice Bob : {mi | 

Bob Carol : {u2 \ ^2}- 
Bob —> Dave : {m3 | \|/3}. 
Dave — > Alice : {u4 \ U4 > v} 

For the chain H = «i «3 «4 in TjCje.fnil (where corresponds to the i-th interaction in QeJ^, ^"^{ge^^i"^^^) 
returns T' such that k{T') is simply (jeJlu] with replaced by y]f\ f\v = vi, \|/3 replaced by \|/3 A vi = V2, 
and \|/4 replaced by U4 > V2 and the fresh variables vi and V2 is added to the interaction variables of the 
first and third interactions, respectively. 

We define a function propagate which takes a global assertion Q and returns: {\) Q itself if HS is 
satisfied, (2) (^^„ if HS is violated at « G "^{Q) and propagation is not applicable, (3) Q' otherwise, where 
Q' is obtained by propagating a violating variable v of node n; in the latter case, observe that v has been 
surely introduced in a node n' G '^tT(t^) from which v can be propagated, since we assume Q closed. 
Definition 15 (propagate). The function propagate((7) returns 

. g, ifW,{g) = 

• P7-(v,H), ifT= '^{Q) and there exists n G HS(^) with v G varHST(«) and there exists n = n^ ni n 
chain in T such that sndrino) knows v 

• gin with n G ES{g) otherwise. 

Example 16. Consider again the global assertion Q' obtained after the invocation strengthen(^g;(9]) 



in Example 12 In this case HS(^') = {n^] with n^ = Carol — )• Bob : {v4 | V4 > v}. Propagation is 
applicable to n^ ancf propagate(^') returns 

g" ^ A't (10>{v I v>0}. 

Alice Bob : {vi | v>vi}. 

Bob — >■ Carol : {v'2 u\ \ > vy /\u\ = v}. 

Carol — > Alice : {V3 | V3 > V2}. 

Carol —> Bob : {v'4 | V4>mi}. 

t(vi) 

by propagating v from the second interaction where the sender Bob knows v to Carol, g" satisfies HS. 
The predicate of the last interaction derives from the substitution (v4 > v)[mi/v]. 

The propagation algorithm is defined below and is based on a repeated application of propagate(_). 
Definition 17 (<I>2)- Given a global assertion g, the function is defined as follows: 



^2{g) 



propagate (i^), if propagate(t^) G {i^, i^i,,} 

<I>2(propagate((7)), otherwise 



3.3 Properties of $1 and 4>2 

We now discuss the properties of the global assertions amended by each algorithm and we compare them. 
Hereafter, we say <I>i (resp. O2) returns g if either it returns g or it returns g^n for some n. 

The applicability of <I>i depends on whether it is possible to find a variable known by the responsible 



party of the violating node such that condition (3.1 1 in Def. 10 is satisfied. The applicability of O2 
depends on whether there exists a chain through which the problematic variable can be propag atedf] 

^ Linearity of the underlying multiparty session types (i.e., a property that ensures the existence of a dependency chain 
between the interactions) |6| does not guarantee that <I>2 is always applicable. The reason is that -< 112 in the sense of (6j 
does not imply ni -<t «2 since ^7- does not take into account branching but only interactions. 
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Notably, there are cases in which <I>i is applicable and is not, and vice versa. Also, <I>i and <I>2 
return, respectively, two different global assertions from the original one; hence it may not always be 
clear which one should be preferred. 

Remark 18. In distributed applications it is often necessary to guarantee that exchanged information is 
accessible only to intended participants. It is worth observing that discloses information about the 
propagated variable to the participants involved in the propagation chain. The architect should therefore 
evaluate when it is appropriate to use O2. 

First we show that both and O2 do not change the structure of the given global assertion. 

Proposition 19. Let Q be a global assertion. If^\{Q) or ^2{Q) return Q' then T(^) and '^{Q') are 
isomorphic, namely they have the same tree structure, but different labels. 

Whereas <I>i does not change the underlying type of the global assertion, <I>2 does. Indeed, in the 
resulting global assertion, more variables are exchanged in each interaction involved in the propagation. 
However, the structure of the tree remains the same. 

Let erase{Q) be the function that returns the underlying global type |6| corresponding to Q (i.e. a 
global assertion without predicates). 

Proposition 20 (Underlying Type Structure). Let be a global assertion, 

• if^\{Q) returns Q' then erase{^) = erase{Q') 

• if^liQ) returns Q' then for all n and its corresponding node n' G "^i^'), 

Proof sketch. The proof is by induction on the structure of ^ and it trivially follows from the fact that 
neither <I>i nor O2 changes the structure of the assertion tree. In fact, <I>i changes only the predicates. 
On the other hand, <I>2 changes the predicates and adds fresh variables to interaction nodes, therefore 
changing the type of the exchanged data. □ 

The application of <I>i and <I>2 affects the predicates of the original global assertion. In , strengthen- 
ing allows less values for the interaction variables of the amended interaction. Conversely, the predicates 
computed by O2 are equivalent to the original ones (i.e., they allow sender and receiver to chose/expect 
the same set of values). Nevertheless, such predicates are syntactically different as O2 adds the equality 
predicates on the propagated variables. 

Proposition 21 (Assertion Predicates). Let Q be a global assertion, 

1. if^i{Q) returns Q' then for all n GT{Q) whose label is modified by (£>i and its corresponding 



node n' S ^i^') (cf. Proposition 20), it holds that PREDx(t^')(«') Acstj(^gi-^{n') D cstj(^g){n) 

2. if^2{Q) returns Q' then for all n G T(i7) whose label is modified by O2 and its corresponding 
node n' G T((^') 

(a) cstj(^gi-j {n') is the predicate cstji^g-j (n) A \|/ 

(b) PREDj^g){n) D cstj(^g-j{n) A^\f ^ PREDj^g,){n') D cstj(^g,){n') 
For some \|/ G *F satisfiable. 

Proof sketch. The proof of item [T] relies on the fact that <I>i either does not change ^ or replaces a 
problematic variable by a variables for which (3J_l holds. The proof of item [2] relies on DeffT3j i.e. 



a predicate of the form vi = v or v, = v,_i is added to each predicate of the nodes in the chain. The 
additional predicates are satisfiable since they constrain only fresh variables (i.e. v,). □ 



120 



Amending Contracts for Choreographies 



The statement 2b in Proposition 21 amounts to say that cstj^g-j{n) A\|/ is equivalent to cstj^gi^{n') 
when such predicates are taken in their respective contexts. 

Finally, we show that <I>i and <I>2 do not add violations (of either HS or TS) to the amended global 



assertions (Proposition 22 1 and that if the return value is not of the type then the amended global 



assertion satisfies HS (Theorem 23 1. 



Proposition 22 (Properties Preservation). Assume returns Q' with i G {1,2}. If }iS{Q) = then 

W,{g') = and if TS{g) = then T^{g') = 0. 

Proof sketch. The proof of HS preservation by both algorithms follows by the fact that they both return 
Q if'RS{Q) = 0. TS preservation in follows from the fact that predicates may only be changed by a 
variable substitution. For T = T{Q), such that TS(^) = 0, we have that, for any « G T 

PRED7-(«) D 3varr («).(]) 

by definition of TS. And, by ( |3.1| ), we have that 

PREDr(«) D 3varT{n).^[v/v'] 

i.e. TS is preserved by . TS preservation in <I>2 follows from the fact that the predicates of a global 
assertions are only modified by adding equalities between problematic variables and fresh variables (see 



statement 2b in PropostionpTj). □ 



Theorem 23 (Correctness). If there is g' such that ^i{g) = g' or ^lig) = g' then HS(^') = 0. 

Proof sketch. We only consider the cases where the algorithms do return a different tree. The proof for 
follows simply from the fact that, at each iteration of the algorithm, the variable chosen to replace the 
problematic one is selected so that the responsible party knows it. 

The proof for <I>2 is by induction on the length of the ^^-chain at each iteration, and follows from 
the condition to form such a chain. Let T be an assertion tree, H = ?ii . . . be the -<r -chain used to solve 
a HS problem at « G T on a variable v. By construction, the sender of n\ knows v, and each variable v; 
added at is known to the sender of (by definition of knows). In addition, the receiver of the nt is the 
responsible party of n, who therefore knows the variable Vj which replaces v mn. □ 



4 Back to the Future 



In a distributed choreography, the local choices made by some parties may restrict later choices of other 
parties to the point that no suitable values is available. This would lead to an abnormal termination 
since the choreography cannot continue. For global assertions, this distills into temporal satisfiability 
(TS) which requires that the values sent in each interaction do not compromise the satisfiability of future 
interactions. The formal definition of temporal satisfiability is adapted from [3 |. 

Definition 24 (TS [3|). A global assertion g satisfies TS (in symbols TS((^)j iff GSat{g ,\rue) holds 
where 

'GSat{g',\\tAcst{i)), if Q = \.Q' and \|/ D 3vflr(i).cif (i) 



GSat{g,y^)iff{ 



/\GSat{gj,yifA\\fj), if g = s ^ r : ({\\fj}lj : gA and \\f Z) \/ {\\f 
jeJ ^ jeJ 

GSat{g',-^A\\i'), 



^(7 = end, 



ifg^^it{e){v\ \|/'}. C^' or g^ ty(p) (e) , and\\tD \|/'[e/v] 
otherwise 
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For an assertion tree T G T, TS(r) holds iff GSat{A{T) , true). 

Intuitively, \|/ in GSat is equivalent to the conjunction of all the predicates that precede an interaction. 
In the first case, all the values satisfying \|/ allow to instantiate the interaction variables var(i) so to 
satisfy the constraint cst{l) of i. For branching, GSat requires that at least one branch can be chosen and 
that each possible path satisfies GSat. The recursive definition requires that the initial parameters satisfy 
the invariant \|/'. In recursive calls, we assume an annotation giving the invariant of the corresponding 
recursive definition (i.e. \|/'(v)). 

Often, TS problems appear when one tries to restrict the domain of a variable after its introduction. 
To illustrate this, we introduce the following running example. 
Example 25. Consider (jg^below, where p constraints x and y: 

Qe^ = p^q: {jc I Ji:< 10}. 

P^q:{3' I 3'>8}. 

q— >p:{z I Ji:>zAz>6 h y ^ z} 



When q introduces z, both x and y are further restricted. Noticeably, in Example 25 ifp chooses, e.g. 
x = 6 then q cannot choose a value for z. 

Possibly, TS can be regained by rearranging some predicates. In particular, we can "lift" a predicate 



to a previous interaction node. For instance, in Example 25 one could lift the predicate 3z.x > z > 6 
(adapted from the last interaction) to the first interaction's predicate. 

Without loss of generality, we assume that only one variable is introduced at the nodes where TS 
is violated. Also, we first consider TS violations occurring in interactions and recursive definitions. 
Amending violations arising in branching and recursive calls is similar but complicates the presentation. 



Hence, for the sake of simplicity, such violations are considered in § 4.2 



4.1 Lifting algorithm 

We formalise the lifting algorithm. First, we give a function telling us whether a node violates TS. 

Definition 26 (TSnode). Given T gT, TSnode7-(«) holds iffneT, and TS(r') holds where T' is the 
assertion tree consisting of the path n'lx where the children ofn (if any) are replaced by nodes with label 
end. In addition, we assume that TSnode holds for nodes with label s — )■ r. 

We can now define a function that returns a set of nodes violating TS such that all the previous nodes 
in the tree do not violate TS. 

Definition 27 (TS). The function IS :'T ^ 9\Cis defined as follows: 

TS(r) = |?i G r I 'YSiiodeT{n) is false, and TSnodeT{n') is true for all n ^ parent j{n)^T^ 



For instance, in Example 25 we have that TS(re,f25]) is the singleton {?ie)<25ll where T^^^ = T((^e)E5l) 
and «e]<25] is the node corresponding to the last interaction of Q^^^ 

Once an interaction node « G TS(r) is chosen, we rearrange its predicate as two sub-predicates such 
that the first one constraints only the variable introduced at n, and the second one involves other variables 
(which have been introduced previously in T). 

Definition 28 (rewrite). Let rewrite -.^ x be defined as follows: 

rewrite(\|/,v) = ((|)(v),\|/(w)) 

where Mf{w) <?=^ (|)(v) A\|/'(w). 
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Note that rewrite is a non-deterministic total function as (j)(v) could simply be true. The application 
of rewrite to Example [25] yields rewrite(csf(?2e)j25]),var(»e)j25])) = (z > 6,x > z/\y ^ z)- 
Remark 29. For a tree T G T and n G TS(r) ^mc/z that rewrite(c5?7(?i), v) = we may have 

PRED7-(«) 3v.(t). For instance, if the predicate defined on v alone is not satisfiable, e.g., (|) = v<7Av>7. 
In this case the algorithm is not applicable. 

We can define a relation among predicates \|/ and (|) in a context \|/' to identify the problematic part of 
an assertion in an interaction node. 

Definition 30 (Conflict). The predicate \|/ G is in conflict onvQ'V' with (j) in \|/' iff 

\|/ D 3v.(|) and \|/' 7^ 3v. ((|) A \|/) 
Using Def.[30]and PREDr(?i) (cf. §[3]l, we define 

splitj. (n,(|),l|/) I \|/ ■^=> X|/AI|/' and \(/ /i m con^/cf on vflr(«) with (|) A V /« PRED7'(«)} 



which returns a set of problematic predicates. Considering again Example 25 the application of split 
yields split j-^^^n^j^z > 6,x > z /\y z) = {x > z} since y z allows to choose a suitable value for 
z. 

The next definition formalises the construction of a new assertion tree which possibly regains TS, 
given a node and an assertion to be "lifted" (i.e. a "problematic" predicate). 

Definition 31 (build). The function buildj- returns 

• r G T, if we can construct f isomorphic to T except that, each node rl G parent j(n)'\j such that 
rf_ = s^r : \u \ 6} and mPi var(\|/) ^ 0, is replaced by a node h with label 

s — r : {m I 6 A Vf.3y.\|/} such that Q AM x.3y.\f is satisfiable 

where 

- X C var(\|/) \ knowss(r) are introduced in a node in n'^j 

- y C var(y]f) are introduced in a node in the subtree rooted at n' 

and there is no n' G parent j-{n)'\'T such that n!_ = pt {e){v \ \\f} and vCi var(\\l) / 0. 

• _L otherwise. 

Remark 32. In the definition o/ build, we assume that if either x or y is empty, the corresponding 
unnecessary quantifier is removed. Recall that global assertions are closed (cf. § |2]). Therefore all the 
variables in var(\|/) are taken into account in the construction of the new assertion tree. 

In Example [25j we would invoke buildr,^(ne)j25],z > 6 Ax > z) which returns a new assertion tree. 
The new tree can be transformed into a global assertion isomorphic to Qf^^^ with hne 1 updated to: 
p q : {x I X < 10 A 3z.x > z > 6}. 

The function TSres : T x — > T U _L either solves a TS problem n or returns _L. 

Definition 33 (TSres). Given T G T and n G TS(r), we define 

''buildj A\|/') , ifn= \ and ((t),\|/) = rewrite(c5fr(?i), varr(?i)) and there is 



TSresr(?i) 



\|/' G splity s.t. buildr A\|/') / _L 

buildr (?i,V|/[?/v]) , ifn=pi{e){v \ \|/} 
_L, otherwise 
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The second case of Definition 33 handles TS violations in recursive definitions. The problem is 
similar to the interaction case, but in this case, the values assigned to the recursion parameters are known 
(i.e., e). It may be possible to lift the recursion invariant, where we replace the recursion parameters by 



the corresponding initialisation vector. Example 34 illustrates this case 



Example 34. For the global assertion QeXM given below, TSjQejf^ does not hold because true {x> 

Qem = p ^ {-^ I tf'ue}. 

lii{%){y I x>y>6].g' 

However, using the initialisation parameters, we can lift x > S > 6, i.e., the original predicate where we 
replaced y by 8, to the interaction preceding the recursion. TS now holds in the new global assertion 
(assuming that TS(^') holds as well). 



Remark 35. In Example 34 if we had only lifted x>y > 6, as in the interaction case, it would not have 
solved the TS problem. Indeed, the predicate of the first interaction would have become 3y.x > y > 6 
which does not exclude values for x which are incompatible with the invariant (e.g., x = S). 

The overall lifting procedure is given. It relies on a repeated application of TSres until either the 
assertion tree validates TS or the function fails to solve the problem. In the latter case, the function 
returns the most improved version of the tree and the node at which it failed. 
Definition 36 {^3). ^3 is defined as follows, given a global assertion Q. 



<I>3(TSresT(^)(?i)), if there is n GTS(T(^)) s.t. TSresT(^)(?i) ^ _L 
^ gin, otherwise 



4.2 Applying 4>3 to branching and recursion 



Branching. According to Def. [24j TS fails on branching nodes only when all the branches are not 
satisfiable. The underlying idea being that the aixhitect may want to design their choreography in such a 
way that a branch cannot be taken when some variables have a particular value. 

Therefore, the architect should be involved in the resolution of the problem. Two options are possible; 
either the disjunction of all the predicates found in the branches is lifted, or one of the branches predicate 



is lifted. Arguably, the latter may also prohibit the other branches to be chosen, as shown in Example 37 
Example 37. As an illustration, we consider the following assertion: 

Qem = {-^ I true}. 

p^q: {v>5}/i:^i 
{y < 5} /2 : Qi 

Assuming that TS(t7i) and TS(t72) hold, we have that TS((7ej37i) does not hold because true 7^ (v > 
5 V V < 5). It is obvious that ifv = 5 no branch may be selected. 

Let's call h the node corresponding to the branching in the second line of ^7e)^32^ Depending on the 
intention of the architect the problem could be fixed by one of these invocations to build (where, in both 
cases, superfluous quantifiers are removed). 

• buildx(g_.^ («, V > 5 V V < 5) replaces the predicate in the first line by true A (v > 5 V v < 5) 

• buildx(g^^ (n, V < 5) replaces the predicate in the first line by true A (v < 5). 

Both solutions solve the TS problem, however the second one prevents the first branch to be ever taken. 
Given an assertion tree T and a branching nodeNn G T such that TS does not hold. One can invoke 



We also assume that TS is not violated in parentj{n)^j as in Def. 27 
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buildr where \J/ is either the disjunction of all the branching predicates or one of the branches 
predicate. If the function does not return _L, then the TS problem is solved. Notice that we do not have 
to use neither rewrite or split to solve problems in branching. 



Recursion. We have seen that when a TS violation is detected in a recursion definition, lifting may 
be applied. However, lifting a predicate involving a recursion parameter v would require to strengthen 
the invariant where v is introduced. This is quite dangerous, therefore the lifting algorithm does not 



apply in this case. In fact, for recursive definition and calls, Def. 24 requires \|/ D \|/'[e/v], where \|/' is 
the recursion invariant and \|/ is the conjunction of the previous predicates. Hence, lifting a predicate 
involving a recursion parameter may strengthen the invariant, and possibly create a new problem in 



a corresponding recursive call. Moreover, notice that, in recursive calls, GSat (Def. 24 1 requires that 
\|/A\|/' D \|/'[?'/v]; namely, strenghtening \|/' would automatically strenghten \|/'[^/^] therefore leave 
the TS problem unsolved. 

On the other hand, TS problems can be solved when they occur in recursive calls. In fact, let a TS 
problem appear at a node n £ T such that n = t{e) and let the invariant of the definition of t being \|/(v), 
then if the invocation of buildj (?i,\|/[?'/v]) succeeds, the problem is solved. 

In order to give a more complex example of the application of O3, with TS problems in recursive 
calls, we consider the following example. 

Example 38. Consider the global assertion below 

(je](M = Generator — > Server ; {« | n > 0}. 
Player — >• Server : {x \ true}. 
lii{x){r I r>0}. 

Server ^ Player : {r>n\less: Player Server : {y | true}.t(3') 
{r < n} greater: Player Server : {z \ true}.t(z) 
{r ~ n} win : end 

modelling a small game where a Player has to guess an integer n, following the hints given by a Server. 
The number is fixed by a Generator. Each time Player sends Server a number, Server says whether 
n is less or greater than that number 

Let re,{38]be the tree generated from T((^e)j38l)- There is a TS problem at the node corresponding to 
the recursive definition, indeed if x < 0, the invariant is not respected. After the first loop of <l>3(re)j38l), 
the predicate x > is added in the second interaction. Then, the algorithm loops two more times to solve 
the problems appearing before the recursive calls. It adds y > and z > in the interaction of the less 
and greater branch, respectively. The global assertion now validates temporal satisfiability. 

4.3 Properties of 4>3 

Similarly to the algorithms of § |3} does not modify the structure of the tree and preserves the proper- 
ties of the initial assertion. 

Proposition 39 (Underlying Type Structure - <I>3). Let Q be a global assertion. lf(^T,{Q) returns then 
erase{Q) = erase{Q')^ 



Proof sketch. The proof is by induction on the structure of similarly to the one of Propostion 20 □ 
Also, <I>3 does not introduce new HS or TS problems. 



See Section 3.3 for the definition of erase. 
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Proposition 40 (Properties Preservation - <I>3). Assume (i>i,{g) = Q' . IfES{g) = then HS(^') = 0, 
and ifTS{g) = then TS(^') = 0. 

Proof sketch. The preservation of HS follows from the fact that all the variables which are not known to 
a participant are quantified (either universally or existentially) in the modified predicates. The proof of 



TS preservation follows trivially from the first case of Def 36 □ 



In addition, we have that preserves the domain of possible values for each variable from the initial 
assertion. 

Proposition 41 (Assertion predicates). lf(^T,{Q) = Q' then for all n^l{Q) such that n is a leaf and its 
corresponding node n' G T(^') (cf. Propositionpy^ 



PREDr(n) <^ PREDr(«') 

Proof sketch. The proof follows from the observation that predicates are only duplicated in the tree, i.e. 
the lifting algorithm does not add any new constraints in the conjunction of the predicates found on the 
path from the root to a leaf. □ 



Finally, Proposition 42 establishes an intermediate result for the correctness of O3. It says that a 
successful invocation of TSres on a node removes the problem at that node. 

Proposition 42 (Correctness - TSres). Let T be an assertion tree, and N = TS(r). For each n ^ N such 
thatTSresrin) / _L, then n ^ TS(TSresr(?i)). 

Proof sketch. We sketch the key part of the proof, i.e. the proof of the correctness of build for interaction 
nodes. 

Let T be an assertion tree with a node n such that n G TS(r), and « = s— )-r:{v | (jjAPAy} such 
that p is in conflict on var{n) with (|) Ay in PREDr(?i). Then (|) Ayis the predicate to be hfted. Assume 
f = buildr (?i,(l)Ap). 

By DefJSTJ we have that, for suitable x\,yi . . .Xk,yk, 

PREDf (n) = PREDr («) A Vxi .3^1 . ((|) A P)ai A . . . A\fxk.3yk-{^ ^ ^)<^k (4.1) 
\fxi . . .Xk.PREDrin) A3yi.{<^ A^)ai A . . . A3yk.{^ /\^)ak (4.2) 

Where we assume k substitutions a,- such that the variables bound by Vx/.B^, in (|) A (3 are pairwise distinct. 
We have that a quantified version of (|) A P is added k times in the assertion tree, above n. 

Note that there must be a / such that A P)a; <;=^ 3v.((j) A p). Indeed, the variables which are 

quantified existentially are the ones that (/) appear in (|) A P, and (//) are fixed below in tree. Therefore, 
the predicate which is added in the last node before n must quantify existentially v, only. If there were 
another variable to be quantified existentially then it would not be the last node to be updated. 

By Def 3 1 we also know that every ((|) A P)a, is satisfiable. 

By the definition of conflict (Defj30]l, we have that PRED7- («) D 3v.((|)Ay) andPREDr(?i) 7^ 3v.((|)AP) 
(hence, PREDr(?i) is satisfiable). Therefore, by weakening, we have that 

PREDf{n)D3v.{(^Ay) (4.3) 

By ( |4.1| ), we have that 

PRED^(?i) D 3v.((^ aP) (4.4) 
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since 3v.((]) A P) (modulo renaming) is one of the conjuncts of PRED^(?i). 

TS must hold for n, which implies that n TS(J') and TSnode f{n) holds, i.e. 

PRED f{n) D 3v.((t)APAY) 

Otherwise, that would imply that 

PRED^ (n) A Vv. (^(j) V V ^y) 
which is in contradiction with (|4.3|) ((|) and y) and (|4.4[) (P). □ 



Finally, we can say that, if a repeated application of lifting succeeds, the global assertion which is 
returned satisfies temporal satisfiability. 

Theorem 43 (Correctness - O3). If<t>3{g) = g' then TS{g') = 0. 

Proof sketch. The proof is by induction on the number of problematic nodes and the minimum depth of 



these nodes in the tree. It relies on Proposition 42 i.e. the fact that TSres7'(?i) either solves the problem 
at n or fails. 

Let T = T{g) and N be the set of nodes in T which violates TS. We write \n\ for the depth of « in T 
(with |r*| =0). 

1. IfA^ = 0, thenTisTS. 

2. If / 0, let n G TS{T) C A^, after an invocation to TSresr(«), we have 

(a) If > 1 then either 

i. N :=N\ {n}, i.e. the node is simply removed from the set of problematic nodes, 

ii. N := NUN' \ {n} with \/n'- G A^^'. < \n\, i.e. the problem at n is solved but other 
problematic nodes, above n in T, are added, or, 

iii. the algorithm fails on n 

(b) If \n\ < 1 then either A/^ :=N\{n}, or the algorithm fails. In fact, once the algorithm reaches a 
problem located at a child of the root, then it either fails or solves the problem. Indeed, there 



cannot be a TS problem at the root node unless the predicate is unsatisfiable (see Def 24 1, in 
which case, the algorithm fails. 

Note that selecting n G TS(r) implies that the depth of n is smaller or equal to the depth of the 
nodes in A'^. 

It can be shown by induction that the algorithm terminates either with TS(r) = 0, or a failure. 

Regarding step |2(a)iil note that the algorithm cannot loop on a problematic node indefinitely. Indeed, 
the number of (sub)predicates available for lifting is finite and, by Def j30j the algorithm moves only the 
predicates from which the problem originates, e.g. an equivalent constraint cannot be lifted twice. □ 



5 A methodology for amending choreographies 

The algorithms <I>i, <I>2, and <I>3 in § |3]and § |4]can be used to support a methodology for amending 
contracts in choreographies. The methodology mainly consists of the following steps: (/) the architect 
design a choreography g, (ii) the architect is notified if there are any HS or TS problems in g, (Hi) using 
<J>i and <I>2 solutions may be offered for HS problems, while <I>3 can be used to offer solutions and/or 
hints on how to solve TS problems; (/v) the architect picks one of the solutions offered in (///). Steps 
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(//) to (/v) are repeated until all the problems have been solved. We sketch our methodology using the 
following global assertion: 

g = /it(10){v I v>0}. 

Alice —7- Bob : {vi | v>vi}. 
Bob —7- Carol : {v2 | V2 > vi}. 
Carol —)■ Alice : {v3 | V3>vi}. 
Carol — )• Bob : {v4 | V4 > v}. 
Alice — ;> Bob : {true} cent : t(vi), 

{true} finish : Alice — ^ Bob : {vs \ vi < V5 < V3 — 2} 

which extends the global assertion in Example |9] 

First, g is inspected by history sensitivity and temporal satisfiability checkers, such as the ones 
implemented in [7J. If there are any HS problems, the and algorithms are used, while <I>3 is used 
for TS problems. This allows the architect to detect all the problems and consider the ones for which (at 
least) one of the algorithms is applicable. 

We assume here that the architect focuses on HS problems first. In g there are two HS problems, 
both of them can be solved automatically, and the methodology will return that 

1. At line 4, vi is not known by Carol; the problem is solvable by either 

• replacing V3 > vi by V3 > V2 (algorithm <I>i) at line 4, or 

• by revealing vi to Carol (algorithm <I>2); in this case, line 3 becomes 

Bob Carol : {v2 Ml | V2>viAmi=vi} 

and the assertion at line 4 becomes V3 > u\. 

2. At line 5, v is not known by Carol; the problem is solvable by revealing the value of v to Carol 
(algorithm O2) in which case line 3 becomes 

Bob — )• Carol : {vj U2 \ V2 > vi A M2 = v} 

and the assertion at line 5 becomes V4 > M2. 

In the propagation case (i.e., <I>2), the methodology gives the architect information on which participants 
the value of a variable may be disclosed to. Indeed, as discussed in Remark[T8] it may not be appropriate 
to use the suggested solution. Therefore, the actual adoption of the proposed solutions should be left to 
the architect. In addition, the order in which problems are tacked is also left to the architect (e.g., the 
same variable may be involved in several problems and solving one of them may automatically fix the 
others). Assuming that is used to solve the first problem and O2 to solve the second, the first five 



lines of the new global assertion are those in Example 16 and HS is fixed. 

Now HS is satisfied in Q, but TS problems are still there. In case a TS problem cannot be solved 
automatically, additional information can be returned: {a) at which node the problem occurred, {b) 
which variables or recursion parameters are posing problems (i.e. using split and build), and (c) 
where liftings are not possible (i.e. when build fails to add a satisfiable predicate to a node). For Q 
there are two TS problems which are dealt with sequentially. The methodology would report that 

1. At line 6, vi does not satify the invariant v > 0. This can be solved by lifting vi > (i.e. the 
invariant where v is replaced by the actual parameter vi) to the interaction at line 2, which would 
yield the new assertion v > vi A vi > 0. 
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2. At line 7, there might be no value for vs such that vi < vj < V3 — 2. The assertion is in conflict (of. 
Def. 30 1 with the previous predicates; this problem cannot be solved since lifting would add the 
following predicates in line 2 and 4, respectively. 

• 3v3,V5.vi < V5 < V3 — 2 which is indeed satisfiable, but remarkably does not constraint vi 
more than the initial predicate. 

• Vv1.3v5.v1 < V5 < V3 — 2 which is not satisfiable, therefore the algorithm fails. 

The failure of O3 is due to the fact that vj is constrained by vi and V3 which are fixed by two different 
participants. They would have to somehow interact in order to guarantee that there exists a value for 
V5, this cannot be done automatically. Notice that in this case the methodology tells the architect that 
V5, fixed by Alice, is constrained by vi and V3 which are fixed by Alice and Carol, respectively. Our 
methodology can also suggest that the node introducing V3, or (the part of) the assertion over V3 may be 
the source of the problem since V3 is the only variable not known by Alice. 

Remark 44. The application of an algorithm could compromise the application of another one due to 
some "interference" effect that may arise. For instance, applying strengthening fOJ could spoil the 
application of lifting (^3) and vice versa (cf. §^for an intuitive explanation). 



6 Conclusions 

In this paper, we investigated the problem of designing consistent assertions. We focused on two consis- 
tency criteria from [3|: history sensitivity and temporal satisfiability. We proposed and compared three 
algorithms (<I>i, <I>2, and 03) to amend global assertions. Since each algorithm is applicable only in 
certain circumstances, we proposed a methodology that supports the architect when violations are not 
automatically amendable. 

On the theoretical side, the algorithms Oi, <I>2, and O3 address the general problem of guaranteeing 
the satisfiability of predicates when: (1) the parts of the system have a different perspective/knowledge 
of the available information (in the case of history sensitivity), and (2) the constraints are introduced 
progressively (in the case of temporal satisfiability). The proposed solutions can be adapted and used, 
for instance, to amend processes (rather than types), orchestrations (rather than choreographies, when 
we want to check for local constraints), e.g., expressed in formalisms as CC-Pi |4|, a language for 
distributed processes with constraints. Interestingly, temporal satisfiability is similar to the feasibihty 
property in lUl requiring that any initial segment of a computation must be possibly extended to a full 
computation to prevent "a scheduler from 'painting itself into a corner' with no possible continuation". A 
promising future development is to investigate more general accounts of satisfiability which is applicable 
to different application scenarios. 

In scope of future work, we will study the "interference" issues of the three algorithms (see Re- 



mark 44 1 so to refine our methodology and use them more effectively. We conjecture, for instance, that 
conflicts between Oi and <I>3 appear only when the variable introduced where an HS problem is solved 
by <I>i is also involved in a TS problem. More precisely, let v be introduced at a node n having an HS 
problem. If <I>i is used to solved such problem the constraint at n will be strengthened. Now, if a node n' 
-further down than n in the tree- has a TS problem with a conflict involving v, the predicate at n will be 
updated (i.e. strengthened) by O3. Therefore, the predicate at n would be strengthened by each algorithm 
in an independent way. This may render the predicate at n unsatisfiable. 

We wiU also study the applicability of our methodology in more realistic cases in order to assess the 
quality of the solutions offered by our algorithms. 
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We plan to implement our algorithms and support for the methodology by integrating it in the tool 
introduced in Q. 

References 

[1] Krzysztof R. Apt, Nissim Francez & Shmuel Katz (1988): Appraising fairness in languages for distributed 
programming. Distributed Computing 2, pp. 226-241. 

[2] Lorenzo Bettini, Mario Coppo, Loris D'Antoni, Marco De Luca, Mariangiola Dezani-Ciancaglini & Nobuko 
Yoshida (2008): Global Progress in Dynamically Interleaved Multiparty Sessions. In Franck van Breugel 
& Marsha Chechik, editors: CONCUR, Lecture Notes in Computer Science 5201, Springer, pp. 418^33. 
Available at ht tp://dx.doi.org/10 .1007/978-3-540-85361-9_33 

[3] Laura Bocchi, Kohei Honda, Emilio Tuosto & Nobuko Yoshida (2010): A Theory of Design-by-Contract 
for Distributed Multiparty Interactions. In Paul Gastin & Frangois Laroussinie, editors: CONCUR, Lecture 
Notes in Computer Science 6269, Springer, pp. 162-176, doi ;10.1007/978-3-642-15375-4_12 Available at 
|http://dx. doi.org/10.1007/978-3-642-15375-4_12l 

[4] Maria Grazia Buscemi & Ugo Montanari (2007): CC-Pi: a constraint-based language for specifying service 
level agreements. In: Proceedings of the 16th European conference on Programming, ESOP'07, Springer- 
Verlag, Berlin, Heidelberg, pp. 18-32, doi : 10.1007/978-3-540-71316-6, Available at .http:/ /portal. acm.| 
|org/citation.cfm?id=1762174 .1762179] 

[5] Marco Carbone, Kohei Honda & Nobuko Yoshida (2007): Structured Communication-Centred P rogramming 
for Web Services. In: 19th International Conference on Concurrency Theory (Concur'08), Springer, pp. 2- 
17, doi: 10.1007/978-3-540-71316-6, Available at http: / /w ww. eecs . qmul . a c . uk/ -carbonem/cdlpaper/ 
|esop2007.pd''fl ' 

[6] Kohei Honda, Nobuko Yoshida & Marco Carbone (2008): Multiparty asynchronous session types. In: POPL, 
pp. 273-284, doi .lO.l 145/1328438.1328472, Available at http: //doi. acm. org/10. 1145/1328438. | 
113284721 

[7] Julien Lange & Emilio Tuosto (2010): A Modular Toolkit for Theories of Distributed Interactions. In: 
PLACES. To appear 

[8] Bertrand Meyer (1997): Object-Oriented Software Construction (Chapter 31). Prentice Hall. 



